Many of you have read about the evils of SMBv1, one of the great Windows malware attack vectors of all time. Microsoft fixed much of the problem back
[See the full post at: SMBv1 not installed by default in Win10 1709 or later… except…]
|
There are isolated problems with current patches, but they are well-known and documented on this site. |
-
SMBv1 not installed by default in Win10 1709 or later… except…
- This topic has 21 replies, 10 voices, and was last updated 4 years, 10 months ago.
AuthorViewing 6 reply threadsAuthor-
-
At one time intra-computer communications (e.g., by SMBv1) on a Local Area Network (LAN) were protected more or less by your router, presuming you didn’t have it set up to expose your file and printer sharing to the world. Basically, because the router by its nature blocked incoming connection attempts the world couldn’t easily beat a path to your computer’s LAN interface.
In this day and age of wifi and IoT devices being brought into the home, this is not nearly as cut and dried as it used to be.
Let’s say, for example, you buy a wireless printer. Or maybe your new, green heat pump water heater has a wireless capability. Or your kid visits with a new smart phone. Or you get one of those front door camera things. Of course you set up the device to access your wireless network. At this point it’s on your LAN.
Now further assume the device’s controller regularly connects to sites online, and maybe even has a software download process in place. Wireless printers do this all the time. You want the latest software features, right? Firmware updates? Integration with your cloud storage? To be able to see who’s at your front door from your smart phone while you’re out?
All these things mean that the device MAY be vulnerable to being co-opted into becoming malicious and start attacking your other devices. Or even just snooping on your communications as they go by. Suddenly there you are, with an attacker right on your LAN, potentially probing your computer for things like SMBv1 vulnerabilities. And just because it didn’t happen today doesn’t mean it won’t happen tomorrow.
The scary part is that for the simple convenience of being able to control things or get pictures of whomever’s at your door or have a printer you can set up anywhere with only a power cord, we’re all too willingly opening big holes in our security environments. Even just bringing a smart phone or tablet onto the wifi opens up new security issues.
There are things you can do, too, under some conditions. For example you can configure many/most devices to use the “guest access” part of your wifi, which is often cordoned off from other devices by the wifi router.
Make sure that if you don’t need communications with XP systems on your LAN that you have disabled SMBv1.
Bottom line: Don’t assume your router is keeping your systems on “the inside” of your LAN as safe as it once did.
-Noel
9 users thanked author for this post.
-
In that scenario, you’ve already allowed malware into you local area network. It’s already past the perimeter, and the best you can hope for by eliminating SMB1 would be to keep the malware from certain kinds of MitM and similar attacks. It still wouldn’t change the fact that the malware is there on the system, or even let you know that it’s there.
From your previous posts, you’ve opined that using antimalware products is using the wrong approach, that the idea is to keep malware from entering the system, and it’s too late if you wait for the malware to get in there before you act to counter it (I hope I have paraphrased accurately). There’s truth in that, and while I don’t avoid antimalware products (I find the second-order protection they give if despite my careful browsing habits, malware gets on my system anyway, as it once did from a drive-by malware that exploited a Java zero-day back when everyone ran Java), I do understand the logic behind it, and certainly I agree that considering antimalware software to be a first-line defense against infection is a disaster waiting to happen.
It’s much the same with SMB1. In order for the relative vulnerability to matter, malware has to be on a device within the “trusted” zone, and only then if you are using password-protected shares. Even then, not using SMB1 will only (at best) keep the malware from spreading to other devices on the network… it won’t eliminate the infection or alert you to its presence.
That’s not to say that everyone should keep SMB1, of course. If you have password-protected shares, you have to understand that SMB1 doesn’t offer much protection, so you should seriously consider dumping it. If you’re not using SMB1 at all, you might as well get rid of it, but the group of people who use it potentially goes beyond those who use older NAS devices or have XP PCs on the network. Personally, I’m keeping SMB1 because I still use NetBIOS to browse the shares on my network (mixed Linux and Windows), and it’s all open shares anyway, so it’s already at the minimum level of security– lower even than SMB1 with password protection.
I won’t touch IoT things with a ten foot pole, though, so there’s that. No smart… anything.
In response to Windows 10 (supposedly?) cutting off SMB1, Linux Mint 19 (I don’t know how far upstream this goes) disabled it to ensure compatibility, which (unsurprisingly) resulted in complaints that network shares were not showing up in the browser list. If it were truly a “you won’t even notice it being gone” thing, that would be a different story, but the ancient NetBIOS is still in use even now. Fortunately, adding SMB1 back to Mint was as easy as adding a single line to a config file.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon4 users thanked author for this post.
-
Yes, you get it.
Thing is, we may no longer have as much control over malware getting in to our local network. The incentives to bringing things into the home are growing (smart TV anyone?), so the tendency is to just enable them to access what once could be considered the trusted circle.
We might think about security a lot when we’re at our computers, then put it out of our minds when unboxing the cool new 60″ LCD TV.
-Noel
-
-
-
I don’t allow any IoT devices in my home — period — other than my TV which is forced to connect via cable instead of directly through the Internet via my home router.
In the past year, four associates at work have become victims of identity fraud, and not one of them knows how this occurred.
IoT is the Internet of Things
SoIT is the Security of Internet Things
SoIT virtually does not exist.
Yeah, go ahead and let IoT into your home. And when you either get hacked or when your identity gets stolen, just remember, “You let it into your home.”
I tried disabling SMB1 on all of my Win7 computers on my home network, and I found that when doing so, my computers had trouble seeing drive shares within my home network. And I also found that two of my printers were no longer available on my home network.
Thus I had to re-enable SMB1, and I rely on my router’s firewall and on AV protection which prevents the encryption of specified drives and folders by any new program or process which might mysteriously launch.
The upshot is that I couldn’t kill SMB1 without killing my ability for my Win7 computers (no server) to properly see one another’s network shares, and to print to my home printers.
5 users thanked author for this post.
-
That’s the one bit of disabling SMB1 that people like Ned Pyle just seem to gloss over when they just say “disable SMB1.” When you do that, the ability to browse network shares often vanishes on home networks, and that’s not something that not everyone knows how to work around, particularly when they are accustomed to the “just works” way that things used to be with SMB1.
With SMB1 disabled, you can still access your shares by using the IP address directly, i.e. \\192.168.1.200\sharename. For that to really work in a practical sense (so you don’t have to look up the share server’s IP address each time manually), you would have to have reserved IP addresses, which most routers are able to do without too much difficulty (I was doing that on my network before any of this push to disable SMB1 started, just for my own convenience). If you do that, you can create shortcuts to the various shares by IP and place them in the navigation pane of File Explorer, which makes it easy to reach your shares if they are available.
There are other ways of enabling name resolution, like using the hosts file or setting up a DNS server on the router or as a standalone, but none of them advertise when a share is available, so you still can’t get a list of the shares that are available at that moment for browsing. For that, NetBIOS has been the old standby, but that requires SMB1.
WS-Discovery and UPnP/SSDP are supposed to be replacements in Windows-land (and Avahi in Linux, as well as Bonjour in MacOS), but I don’t know much about using any of them. UPnP was one of those things everyone was supposed to disable (much like SMB1 is now) back in the day, and since I was not using it for anything anyway, I always have. I know that enabling UPnP in Windows didn’t bring back the lost browsing functionality when I tried it back when EternalBlue and WannaCry were in the news, and since I had nothing to gain by disabling SMB1 anyway on my open-share LAN, I just re-enabled it rather than continue to beat my head against the wall trying to get a non-SMB1 network to work as I wanted.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon1 user thanked author for this post.
-
That’s the one bit of disabling SMB1 that people like Ned Pyle just seem to gloss over when they just say “disable SMB1.” When you do that…
What if, in an imaginary world, Microsoft were publishing things on purpose that will sound like a good idea while simultaneously making older Windows versions less and less desirable to use…
And possibly in a bigger sense, making Windows (all versions) less and less desirable…
When would published advice to “disable the things that make your home network do just what you need it to do” make sense?
Bear in mind that Microsoft is hands-down the best manager of mediocrity on the planet, bar none. Their past mistakes (poorly implemented protocol that is still somehow a security risk, anyone?) are now leverage. They might seem to be making boneheaded decisions, but is it possible their goals are simply not obvious?
https://www.youtube.com/watch?v=1CYA3eLs-lE
-Noel
1 user thanked author for this post.
-
What if, in an imaginary world, Microsoft were publishing things on purpose that will sound like a good idea while simultaneously making older Windows versions less and less desirable to use…
Good job that’s an imaginary world. In the real world they’re using a “charm offensive”:
Windows 7’s impending EOL triggers Windows 10 charm offensive
Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge
1 user thanked author for this post.
-
-
-
-
Bobby,
I experimented with the SMB 1.0 settings and found that with it entirely uninstalled I could not use the local network (entirely userid/password controlled). Window would just not find the computers where it was turned off. I tried this on both 1709 & 1803. It would however see my Western Digital MyBook Live and my Brother 5450DN printer. Turning only the Client back on restored full network functionality. So what am I missing that it wouldn’t use V2 or V3?
-
@retiredgeek sorry to hear about your networking woes, it was a major Grrrr as you will see in the following links here. Probably predicated by the fact years ago we purchased a “Job lot” of Routers that where deployed in the field, many still out there, and lurking in all sorts of “nooks and crannies” throughout the Building. Here’s a few snippets of the trials and tribulations encountered.
https://www.askwoody.com/forums/topic/heres-a-list-of-the-major-known-bugs-in-win10-version-1803/#post-190814
https://www.askwoody.com/forums/topic/heres-a-list-of-the-major-known-bugs-in-win10-version-1803/#post-193889
For me the most reliable way was to install Reliable Multicast protocol, set both “Function publish” etc in Services.msc to Auto or Auto delayed (M$ Preference) oh and make sure theyre running that seemed to work and works first time every time and Disable IPV6. As for Win8.1 its disabled through add/remove in Features and I took it out in Win7 with Admin PS CMD Set – ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Value 0 –Force you could always edit Registry manually I guess.
http://www.vinransomware.com/images/news/15-05-17/12.JPG
Although I have found Win7 Networking indestructible over the years, maybe that’s why M$ is trying to kill Win7 it works!! (pardon my sarcasm 😉 ) As I have noted from your posts in the past your exceptionally knowledgble so none of this is an anathema to you but hey if it aint broke don’t fix it lol Its a whole can of worms as you know especially multiplied by many machines, although I suppose its a security thing so may warrant some attention alas.
-
-
-
-
How could I know? Go look at the source code.
How is it possible that a protocol is still being delivered with “The Most Secure Windows Ever” that is so insecure that it must be disabled in order to eliminate threats? Oh, that’s right, computers don’t have any more power to do error checking than they did in the 1980s when the protocol was developed.
-Noel
1 user thanked author for this post.
-
-
Any SMBv1 danger if I don’t have SMBv1 server installed and enabled?
The potential danger is ransomware which uses SMBv1 to find and encrypt data on other hard drives on the local network. Some AV products have features which will alert you before any new or unknown process attempts to access data on drives, folders, and shares which you specify. This greatly helps to mitigate the damage of ransomware across a local network.
I am looking at three stand-alone products which are compatible with AV products, and which supposedly can undo the damage of ransomware. A report said that all three were 100% successful in various tests. I called one of the product companies, and I found out that their machine learning actually is only 99% successful. I am still investigating the other two products. One of these two products might actually be able to be 100% successful every time, since it waits until it has gathered enough data to compare the pre-encrypted files to the post-encrypted files, and has verified that it has successfully generated and tested the decryption keys. All three of these products set up honeypots on your computer for the ransomware to hit first.
1 user thanked author for this post.
-
Thanks, but that doesn’t answer my question; which was whether it’s safe to have only the client component of SMBv1 enabled (on Windows 10 1709/1803, not possible with earlier versions).
Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge
1 user thanked author for this post.
-
I think that you are safe, assuming that you are on a home network with no server, given the caveats which I mentioned.
1 user thanked author for this post.
-
Viewing 6 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
I honestly can’t tell if this is a scam or not
by 1 hour, 39 minutes ago
-
New Life For Ten Year Old DIY NAS Hardware
by 9 hours, 4 minutes ago
-
June 2023 Office non-Security updates have been released
by 13 hours, 9 minutes ago
-
Web Apps from Brave Browser
by 10 hours, 10 minutes ago
-
Firefox 114 offering Secure DNS Options – does AT&T ISP Support?
by 6 hours, 30 minutes ago
-
macOS 14 Sonoma
by 9 hours, 57 minutes ago
-
Just a fyi – I think I’ll skip on an Apple Vision Pro hardware section
by 15 hours, 53 minutes ago
-
What’s wrong with Windows 11?
by 2 hours, 56 minutes ago
-
Streaming an iPad to a standard TV
by 8 hours, 21 minutes ago
-
clone to make backup laptop
by 1 day, 16 hours ago
-
Problems with sound and USB ports
by 22 hours, 19 minutes ago
-
Can you use WUShowHide on Windows 11 version 21H2?
by 1 day, 5 hours ago
-
Can we control the changes to our operating systems?
by 1 hour, 13 minutes ago
-
Watch out for fake ‘Windows Defender’ scare
by 16 hours, 49 minutes ago
-
Diagnostics and testing? Get it all done in a flash.
by 8 hours, 23 minutes ago
-
Dip your toe into Visio Online
by 1 day, 15 hours ago
-
Updating Win 10 Pro 21H2 to 22H2
by 1 day, 13 hours ago
-
Changing mouse pointer options.
by 1 day, 16 hours ago
-
Desktop or Laptop? What’s your choice?
by 4 hours, 58 minutes ago
-
Anyone use Auslogics Bitreplica
by 3 days, 2 hours ago
-
Unleashing the Gaming Revolution: CrossOver Mac’s DirectX 12 Support Update!
by 3 days, 15 hours ago
-
Defender’s Offline Scan Fails to Run
by 2 days, 22 hours ago
-
Mouse problem : cannot grab a window without maximizing it
by 1 day, 3 hours ago
-
End of support for Cortana in Windows
by 2 days, 14 hours ago
-
Microsoft is really missing an advertising trick
by 3 days, 14 hours ago
-
New MOVEit Transfer zero-day mass-exploited in data theft attacks
by 4 days, 14 hours ago
-
Windows 11 Insider Preview build 25381 released to Canary
by 4 days, 15 hours ago
-
Authenticating Email Address
by 15 hours, 9 minutes ago
-
Confusion about password protecting a folder in W10
by 4 days, 17 hours ago
-
I broke my right arm yesterday
by 2 days, 17 hours ago
